This blog takes a unique perspective into the topic of supply chain risks and how a risk assessment is critical to goods and services in a supply chain with the evolving risk landscape.

What is a “supply chain”?

A supply chain is a network between a company and its third parties that produces and distributes from the initial supplier to the endpoint buyer. This network comprises various operations, individuals, organizations, knowledge  and resources. The supply chain also represents the steps needed to transform the goods or services to the customer from its previous form, such as raw materials. The entities involved in the supply chain include producers, vendors, warehouses, transportation companies, distribution centers, and retailers as well as potential suppliers. These critical network elements are a very important part of the business cycle. If one link collapses, it can impact the majority of the chain and can be devastating. 

The rationale behind building a supply chain can be defined as “cost optimization,” allowing companies to cut costs and stay competitive in the business landscape. Cost optimization also means a shorter manufacturing cycle for businesses.

Think about how the current global pandemic has affected the global supply chains, and in particular the United States, in meeting the needs of mass medical supplies. Coronavirus-related shut-downs worldwide lead to serious disruptions in medical supply-chain, such as ventilators, masks and respirators, which potentially endangered the health of American citizens.

Supply Chain Continuity in a Digital World

In a tight-knitted digital world, supply chain entities are inherently risky elements of a digital ecosystem. Just like in the physical world, if one link breaks, it will disrupt the entire supply chain continuity.

In the digital era, supply chains undoubtedly created a target-rich environment for hackers to exploit vulnerabilities. Aiming to steal personal data and identities, and even company secrets, hackers are lured to supply-chain vulnerabilities. These threat actors sneaking through the cracks hit weaker “suppliers” to harvest information, leading them to larger organizations, which creates a ripple effect in the entire supply chain.

According to recent research, the financial loss from a ripple event in a supply chain is 13 times larger than single-party attacks. [1]

Image by Zhang Kaiyv from Unsplash

Growing Cyber Risks in the Supply Chain

Some of the most sensational supply chain attacks in the last decade were the Target, British Airways and AMCA breaches. With British Airways facing the largest GDPR fine, AMCA having leaked massive amounts of healthcare records and Target having spent a record-breaking amount on law-suits, supply chain attacks continued to grow since.

Beginning in February of 2020,  the FBI sent out several security warnings concerning an ongoing hacking campaign aimed at supply chain software providers in the U.S. private sector.

“Software supply chain companies are believed to be targeted in order to gain access to the victim’s strategic partners and/or customers, including entities supporting Industrial Control Systems (ICS) for global energy generation, transmission, and distribution,” the FBI claims.

According to the FBI, the hackers have been leveraging Kwampiri malware, a RAT (remote access trojan) in their attacks. The same malware has been detected in healthcare, energy and financial sectors.

Symantec’s statement on the codenamed Orangeworm, who is assumed to be behind the Kwampiri malware, gives insight on how hackers take advantage of supply chain vulnerabilities:

“Orangeworm’s secondary targets include Manufacturing, Information Technology, Agriculture, and Logistics. While these industries may appear to be unrelated, we found them to have multiple links to healthcare, such as large manufacturers that produce medical imaging devices sold directly into healthcare firms, IT organizations that provide support services to medical clinics, and logistical organizations that deliver healthcare products.”

Throughout the course of 2020, threat actors crafted phishing campaigns as initial vectors in their attacks. In some cases, they even attempted to deploy ransomware through inherent cybersecurity vulnerabilities in the IT systems of the healthcare supply chain. One example that security researchers observed was the campaign from the crime gang codenamed TA505, using coronavirus lure as part of a downloader campaign [1], [2]. While the group previously targeted retail and finance, their new targets became the supply chain of U.S. healthcare, manufacturing, and pharmaceuticals industries during the pandemic. Although espionage stands as the top objective behind the aforementioned campaigns, these hacker groups also tend to steal bulk personal data, intellectual property, and broader information supporting those aims, disrupting the continuity of the healthcare supply chain.

How to Mitigate These Risks

Whether it is an attack towards a software supply chain or towards a vendor of a retailer store, the business continuity of the supply chain  boils down to  effectively assessing and managing risk.

It is important that supply chain managers adopt a risk-aware attitude in the entire supply chain. This logic will allow them to focus their limited resources on suppliers/vendors who present a risk beyond the organization’s risk appetite, instead of performing time-consuming assessments on a vendor who poses a low probability of financial loss. 

To accurately define the risk, risk managers need to delve into threat scenarios, the affected asset(s), their value to the organization as well as  their value to the entire supply chain. Threat scenarios and their possible consequences with regards to the contracts and regulations should also be thoroughly analyzed.

The number one rule in a supply-chain risk manager’s guide should be:

If a company is bound to certain laws, regulations, contracts, and keeping the risk within a certain threshold, etc, then its suppliers and vendors automatically need to meet these requirements. 

At the end of the day, supply chains need to be assessed and be continuously monitored with regards to their commitment to  business’ risk tolerance, regulatory compliance and contractual requirements.

How Black Kite Can Help?

Monitoring and continuous oversight on your supply-chain is critical. A mindset that goes beyond your organization, including anywhere your data is handled during the process, should be maintained.

Black Kite’s Third-Party Risk Assessment continuously assesses an entity or a supplier throughout the entire supply chain, capturing critical information in the cyber risk dashboard and providing detailed drill-down capabilities to fully understand and mitigate the risk. Ongoing monitoring surfaces prioritize risks and measures cyber risk posture improvement over time. By providing a Cyber Rating (technical), Compliance Estimations (policies and processes), and Open FAIR™ results (the probable impact in financial numbers), Black Kite provides a 3-dimensional risk picture of a supply chain.

Assessing Supply Chain Risk in Dollars & Cents

Cybersecurity reporting has become a critical issue between the technical team and the board. Most of the security issues get “lost in translation” when reported upwards to the executive-level. Black Kite uses the Open FAIR™  model to calculate the probable financial impact in case of a data breach. Translating the ”security language” to “business language”, the Financial Impact Assessment has been a game-changer in security-reporting.

Open FAIR™ is the only international standard Value at Risk (VaR) model for cybersecurity and operational risk. Platform users can leverage Open FAIR™  results in prioritization of resource allocation.

Having the capacity to use a Open FAIR™ assessment for supply chain risk management elevates the risk management program. This tool helps attain the goal of cost-effectively achieving and maintaining an acceptable level of loss exposure, while also clearly conveying the breadth of risk factors across the organization.

Learn more at www.blackkite.com.

References:

[1] https://otx.alienvault.com/pulse/5ea06a3ce9030e041b86dbb5
[2] https://blog.cyberint.com/covid-19-ongoing-cyber-updates#TA505LeveragestheCrisistoDropCobaltStrike Featured image by Reproductive Health Supplies Coalition on Unsplash